Adopt Go 1.25 cross origin protections?

[yawn]

In a recent blogpost @FiloSottile discussed background research that went into a feature of the Go standard library: a modern CSRF protection middleware.

axum can be considered as one of the equivalents of (the server part) of net/http and might want to consider porting this feature. This boils down to (quoting from the blog):

1. Allow all GET, HEAD, or OPTIONS requests
2. If the Origin header matches an allow-list of trusted origins, allow the request
3. If the Sec-Fetch-Site header is present and the value is same-origin or none, allow the request, otherwise reject
4. If neither the Sec-Fetch-Site nor the Origin headers are present, allow the request
5. If the Origin header’s host (including the port) matches the Host header, allow the request, otherwise reject it

Seems simple enough to implement. Giving the thoroughness of the background research and subsequent inclusion of the solution into the Go standard this seems like a worthy addition to axum.

[syphar]

CORS is something that is supported in tower-http, which you can easily use with axum. I personally that the reason go puts it into the standard library is reason enough to put it into axum too.

I don't know if the tower-http CORS support is up to what the blogpost describes as "modern", but IMO any potential improvement is better aimed at tower-http.

[yawn]

This discussion is about CSRF though but your point might be still valid. AFAIK tower-http has no support for that baked-in atm.

[jplatte]

I agree this seems more suitable for tower-http.

[yawn]

Moved it over to tower-http.

[syphar]

early morning brainfart, realized I threw CSRF & CORS together 🤦 probaly because of mentions of the Origin header and trusted origins.

[yawn]

No worries, your recommendation for this to go towards tower remained correct.